From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next,v2 0/6] nf_tables inner tunnel header match support
Date: Thu, 6 Oct 2022 00:37:34 +0200 [thread overview]
Message-ID: <20221005223740.22991-1-pablo@netfilter.org> (raw)
Hi,
This is version 2 for this patchset.
The inner expression provides a packet parser for the tunneled packet
which uses a userspace description of the expected inner headers. Then,
the inner expression (only payload and meta supported at this stage) is
used to match on the inner header protocol fields, using the new link,
network and transport offsets as well as inner metadata.
This patchset adds support for VxLAN, Geneve, GRE and IPIP. More tunnel
protocol can be supported via userspace updates only.
Changes in this v2:
Patch #1 interpret GRE flags to handle variable GRE header size.
Patch #2 no changes in IPIP support.
Patch #3 add nft_inner_parse_tunhdr() helper function to prepare
for caching the inner offset in percpu area.
Patch #4 add NFT_PKTINFO_INNER_FULL flag and percpu area to cache
the inner link, network and transport offsets. So the inner
offsets are calculated one for the inner header type specified
by userspace.
Patch #5 no changes in meta inner support.
Patch #6 add geneve support, this is required because it has optional
TLV area which needs to be considered to accordingly calculate
the inner link layer offset.
Thanks.
Pablo Neira Ayuso (6):
netfilter: nft_payload: access GRE payload via inner offset
netfilter: nft_payload: access ipip payload for inner offset
netfilter: nft_inner: support for inner tunnel header matching
netfilter: nft_inner: add percpu inner context
netfilter: nft_meta: add inner match support
netfilter: nft_inner: add geneve support
include/net/netfilter/nf_tables.h | 6 +
include/net/netfilter/nf_tables_core.h | 25 ++
include/net/netfilter/nft_meta.h | 6 +
include/uapi/linux/netfilter/nf_tables.h | 27 ++
net/netfilter/Makefile | 3 +-
net/netfilter/nf_tables_api.c | 37 +++
net/netfilter/nf_tables_core.c | 1 +
net/netfilter/nft_inner.c | 366 +++++++++++++++++++++++
net/netfilter/nft_meta.c | 62 ++++
net/netfilter/nft_payload.c | 114 ++++++-
10 files changed, 645 insertions(+), 2 deletions(-)
create mode 100644 net/netfilter/nft_inner.c
--
2.30.2
next reply other threads:[~2022-10-05 22:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-05 22:37 Pablo Neira Ayuso [this message]
2022-10-05 22:37 ` [PATCH nf-next,v2 1/6] netfilter: nft_payload: access GRE payload via inner offset Pablo Neira Ayuso
2022-10-05 22:37 ` [PATCH nf-next,v2 2/6] netfilter: nft_payload: access ipip payload for " Pablo Neira Ayuso
2022-10-05 22:37 ` [PATCH nf-next,v2 3/6] netfilter: nft_inner: support for inner tunnel header matching Pablo Neira Ayuso
2022-10-05 22:37 ` [PATCH nf-next,v2 4/6] netfilter: nft_inner: add percpu inner context Pablo Neira Ayuso
2022-10-05 22:37 ` [PATCH nf-next,v2 5/6] netfilter: nft_meta: add inner match support Pablo Neira Ayuso
2022-10-05 22:37 ` [PATCH nf-next,v2 6/6] netfilter: nft_inner: add geneve support Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221005223740.22991-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).